FIND-20260325-001 · 2026-03-25 · Innovation Veille

Node.js Security Release: 9 CVEs patched across all active release lines (2026-03-24)

cve HIGH
Node.js released security patches on March 24, 2026 for all active release lines (20.x, 22.x, 24.x, 25.x), fixing 9 CVEs including 2 HIGH severity. The HIGH CVEs cover a TLS DoS via uncaught exception in SNICallback (CVE-2026-21637) and a DoS via __proto__ header name crash (CVE-2026-21710). Medium-severity issues include a timing side-channel in HMAC verification and an HTTP/2 memory leak.

Source

https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

ODS Impact

ODS runs Node.js 22.x (LTS 'Jod') for the ODS Dashboard (Next.js/Hono). CVE-2026-21637 (TLS DoS) and CVE-2026-21713 (HMAC timing side-channel) directly affect production. Upgrade to Node.js 22.22.2 immediately to patch all 7 CVEs affecting the 22.x line.

Security Review

License: N/A | Maintenance: ACTIVE | Risk: LOW | Recommendation: USE_WITH_CAUTION

Tags

nodejs cve security tls hmac http2 lts
Generated by ODS Innovation Veille · 2026-03-25T07:04:34+00:00